日志服务的简介
rsyslog 特性:CentOS6 和7
多线程
UDP, TCP, SSL, TLS, RELP
MySQL, PGSQL, Oracle 实现日志存储
强大的过滤器,可实现过滤记录日志信息中任意部分
自定义输出格式
ELK :elasticsearch, logstash, kibana
非关系型分布式数据库
基于apache 软件基金会jakarta 项目组的项目lucene
Elasticsearch 是个开源分布式搜索引擎
Logstash 对日志进行收集、分析,并将其存储供以后使用
kibana 的 可以提供的日志分析友好的 Web
术语,参见man logger
facility :设施,从功能或程序上对日志进行 归 类
auth, authpriv, cron, daemon,ftp,kern, lpr, mail,news, security(auth), user, uucp, local0-local7, syslog
Priority 优先级别,从低到高排序
debug, info, notice, warn(warning), err(error),crit(critical), alert, emerg(panic)
参看 帮助: : man 3 syslog
程序包:rsyslog
主程序:/usr/sbin/rsyslogd
CentOS 6 :service rsyslog {start|stop|restart|status}
CentOS 7 :/usr/lib/systemd/system/rsyslog.service
配置文件:/etc/rsyslog.conf ,/etc/rsyslog.d/.conf
库: 文件: /lib64/rsyslog/.so
配置文件格式:由三部分组成
MODULES :相关模块配置
GLOBAL DIRECTIVES :全局配置
RULES
RULES 配置格式: facility.priority; facility.priority… target
facility: :
*: 所有的facility
facility1,facility2,facility3,... :指定的facility
priority: :
*: 所有级别
none :没有级别,即不记录
PRIORITY :指定级别(含)以上的所有级别
=PRIORITY :仅记录指定级别的日志信息
target: :
文件路径:通常在/var/log/ ,文件路径前的- 表示异步写入
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host ,把日志送往至指定的远程服务器记录
: 管道: | COMMAND
通常的日志格式:
事件产生的日期间 时间 机 主机 进程(pid) :事件内容
: 如: /var/log/messages,cron,secure等
配置rsyslog 成为日志 服务器
#### MODULES ####
# Provides UDP syslog reception 启用udp协议
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception 启用tcp协议
$ModLoad imtcp
$InputTCPServerRun 514
其它的日志文件
/var/log/secure :系统安装日志,文本格式,应周期性分析
/var/log/btmp :当前系统上,用户的失败尝试登录相关的日志信息,二进制格式,lastb 命令进行查看
/var/log/wtmp :当前系统上,用户正常登录系统的相关日志信息, 二进制格式, ,last 命令可以查看
/var/log/lastlog: 每一个用户最近一次的登录 信息, 二进制格式,lastlog 命令 可以查看
/var/log/dmesg :系统引导过程中的日志信息,文本格式文本查看工具查看
专用命令dmesg 查看
/var/log/messages :系统中大部分的信息
/var/log/anaconda : anaconda 的日志
[root@root ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception ruguo
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
#表示除了mail、authpriv、cron 这三种设备的日志文件其他程序的info级别及以上的级别都记录到/var/log/messages文件里
# The authpriv file has restricted access.
authpriv.* /var/log/secure
#authpriv设备 的日志记录到/var/log/secure文件里
# Log all the mail messages in one place.
mail.* -/var/log/maillog
#mail 所有级别的日志记录到以异步的方式/var/log/maillog以异步的方式
# Log cron stuff
cron.* /var/log/cron
#cron 计划日志所有的日志都记录在/var/log/cron
# Everybody gets emergency messages
*.emerg *
#所有设备的emerg 级别的错误会通知登录该主机的所有用户
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
#表示uucp,news程序发生的crit级别的事件就往/var/log/spooler文件里写
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#计算机启动日志往/var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[root@root network-scripts]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV 日志文件记录到authpriv设备里
#LogLevel INFO
#表示比info级别高或者等于info级别的在记录AUTHPRIV 设备对应的文件
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
- 未改先测试一下
[root@root ~]# logger "chenxininhao" - 查看内容
[root@root ~]# tail -1 /var/log/messages
Aug 9 14:06:41 root root: chenxininhao - 使用另一台主机测试一下ssh记录的日志信息
[root@localhost ser]# ssh 172.16.253.183 连接
The authenticity of host '172.16.253.183 (172.16.253.183)' can't be established.
RSA key fingerprint is a9:ad:42:ec:d4:20:cd:a2:ee:67:98:0c:f9:79:74:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.253.183' (RSA) to the list of known hosts.
root@172.16.253.183's password:
Last login: Wed Aug 9 10:46:10 2017 from 192.168.75.1
[root@root ~]#
- 在172.16.253.183查看ssh记录的日志信息ssh的日志文件交给authpriv设备记录;
ssh的配置文件因为是如下写
#SyslogFacility AUTH
SyslogFacility AUTHPRIV 表示sshd的日志文件交个authpriv设备记录
#LogLevel INFO
- 查看日志服务器相关设置;authpriv设备的所有日志记在/var/log/secure中
# The authpriv file has restricted access.
authpriv.* /var/log/secure
设备.日志级别*表示所有级别 记录到的文件
- 查看ssh的日志信息
[root@root ~]# tail -3 /var/log/secure
Aug 9 10:46:10 root sshd[3923]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 9 14:10:30 root sshd[4258]: Accepted password for root from 172.16.253.147 port 57124 ssh2
- 更改ssh的日志文件
1.修改日志服务的配置文件
[root@root ~]# vim /etc/rsyslog.conf
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
#表示除了mail、authpriv、cron 这三种设备的日志文件其他程序的info级别及以上的级别都记录到/var/log/messages文件里
# The authpriv file has restricted access.
authpriv.* /var/log/secure
#authpriv 身份验证的日志记录到/var/log/secure文件里
# Log all the mail messages in one place.
mail.* -/var/log/maillog
#mail 所有级别的日志记录到以异步的方式/var/log/maillog以异步的方式
local0.* /var/log/sshdlog
#表示设置local0.* 所有级别的日志记录在/var/log/sshdlog
2.修改sshd服务的配置文件
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV
SyslogFacility local0
#表示把sshd的所有日志交给local0设备处理
3.重启两个服务
[root@root network-scripts]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
[root@root ~]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
4.测试
(1)[root@localhost ser]# ssh 172.16.253.183
root@172.16.253.183's password:
Last login: Wed Aug 9 14:10:30 2017 from 172.16.253.147
[root@root ~]#
(2)[root@root ~]# cat /var/log/sshdlog
Aug 9 14:39:04 root sshd[4402]: Accepted password for root from 172.16.253.147 port 57126 ssh2
--
5.sshd的不希望记录在文本中而是通知用户
local0.* root,chenxi
#表示设置local0.* 所有级别的日志通知给root或者chenxi;如果是*表示通知所有登录到机器上的用户
[root@root ~]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
(客户端测试)
[root@localhost ser]# ssh 172.16.253.183
root@172.16.253.183's password: 密码输错
Permission denied, please try again.
root@172.16.253.183's password: 密码正确
Last login: Wed Aug 9 14:39:04 2017 from 172.16.253.147
服务端查看
实现日志远程记录6的发生到7上
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
使用udp的514端口实现让远程主机辞主机上写日志
# Provides TCP syslog reception
保存退出后重启服务
[root@localhost ser]# service rsyslog restart
Redirecting to /bin/systemctl restart rsyslog.service
查看端口是否打开udp的514是否打开
[root@localhost ser]# ss -nlu
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 127.0.0.1:323 *:*
UNCONN 0 0 *:514 *:*
6上测试自己记录日志是否正常
[root@root ~]# logger "chenxi 99"
[root@root ~]# tail -1 /var/log/messages
Aug 9 15:39:03 root root: chenxi 99
修改日志的配置文件规则
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none @172.16.253.147
#表示除了mail、authpriv、cron 这三种设备的日志文件其他程序的info级别及以上的级别都以UDP的方式发送到172.16.253.147上记录;
一个@表示UDP协议两个表示TCP协议;
重启
测试
[root@root ~]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@root ~]# logger "chenxi 99"
[root@root ~]# logger "chenxi 699"
7上查看日志信息
[root@localhost ser]# tail -1 /var/log/messages
Aug 9 15:51:42 root root: chenxi 699
让6上的sshd服务的日志走tcp服务
root@root ~]# vim /etc/ssh/sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility local0 表示让关于sshd服务的日志交给local0设备处理
#LogLevel INFO
保存退出;重启
[root@root ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
[root@root ~]# vim /etc/rsyslog.conf
local0.* @@172.16.253.147
#local0设备的日志通过TCP协议写到172.16.253.147
重启日志服务
[root@root ~]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
7服务器上的操作
[root@root ~]# vim /etc/rsyslog.conf
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#启用tcp协议实现让远程主机往此主机上写日志
重启日志服务
[root@localhost ser]# systemctl restart rsyslog
查看端口
[root@localhost ser]# ss -nltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:323 *:*
udp UNCONN 0 0 *:514 *:*
udp UNCONN 0 0 *:68 *:*
udp UNCONN 0 0 *:42623 *:*
udp UNCONN 0 0 ::1:323 :::*
udp UNCONN 0 0 :::514 :::*
udp UNCONN 0 0 :::4661 :::*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 25 *:514 *:*
tcp LISTEN 0 80 :::3306 :::*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 25 :::514 :::*
测试
[root@gh ~]# ssh 192.168.75.128
root@192.168.75.128's password:
Last login: Wed Aug 9 16:19:11 2017 from 192.168.75.129
[root@root ~]#
[root@localhost ser]# tail -1 /var/log/messages
Aug 9 16:17:27 root sshd[4915]: Failed password for root from 192.168.75.129 port 53380 ssh2